Manage passwords without state

Posted by tycho on 2013-09-06

A few years ago I had a problem: I had a bunch of accounts that I accessed once a year when tax time came around, and I kept forgetting the passwords. Often I'd try a few before locking myself out, and then I'd have to spend an hour on the phone with customer service getting my account unlocked, which meant if I was doing my taxes on the last weekend possible, I wouldn't be able to complete them until the next business day. The obvious solution to this problem is to store the passwords in some kind of password manager -- lots of them exist for all kinds of platforms: phone, computer, browser, etc.

The problem with password manager is that they typically require some kind of state file. They store the mapping between site and cleartext password in some file, and then they decrypt it with some secret from you when you want to access it. Thus, you have to 1. trust the person who is doing the encrypting and decrypting that they are doing it correctly so that when your laptop gets stolen your passwords aren't leaked, and 2. you have to have access to the machine that the passwords are stored on when you want to use them. If you've left your laptop at home or you forgot to back up your password file when you got a new computer, you're SOL.

What's the solution? A password manager without state, of course! Since we're assuming the user can remember at least one pretty good password, we can use that as our "state", so we end up with the algorithm as follows:

hash = sha512(user_secret + "example.org")
base64encode(hash)[:10]

Here, we're using the domain to salt the user secret so the generated passwords are different for each site. sha512 provides randomness, although we are only using the first 60 bits of the output here (10 base64 characters, each character encodes six bits of entropy), there are significantly more bits of entropy here than in your typical English character, making it a much stronger password. Further, the algorithm is very simple, and you could re-implement it on any computer that has your favorite programming language environment available. Thus, you can use it in a pinch, since all you need to remember are the algorithm and your user_secret. I've published a python script that implements this mechanism, so you don't even have to remember the algorithm

Qtile 0.6 released!

Posted by tycho on 2013-05-11

I have just tagged and released qtile 0.6! This release comes exactly 6 months after our last release (not intentionally, it just happened to work out that way). You can check out the full release notes for a list of most of the changes.

I thought I'd discuss a bit about the breaking config changes we made. A few of them were long standing TODOs in the code, but the major one (and the one that motivated cleaning up all the rest) was creating a new config module where all of the objects used in configuration live. The primary motivation for this change was to remove a lot of crazy hacks we had in the test system to get around circular imports, since the configuration objects and main manager were all in the same file. However, it also makes sense from a code organization standpoint, because manager.py was getting huge. I think user impact will be minimal, because configs can be updated with a simple regex. That said, I will only be updating the Ubuntu 13.04 packages, so as not to break configs for existing users on older packages with a simple dselect-upgrade.

Hquery, an HTML5 tree rewriting tool

Posted by tycho on 2013-01-29

Recently I began rewriting the framework that powers this blog (gtfo) in haskell. Among other things, I needed a good tree rewriting utility for processing templates and generating content. I've been using Lift at work for a while now, so I built hquery, which is basically an implementation of Lift's CSS Selectors over xmlhtml trees. You can see some examples of the kind of transformations it allows in hquery's readme. Additionally, it is available from hackage via cabal install hquery.

Feedback is welcome, as this is my first haskell API. Bug reports and patches are of course welcome too :-)

Qtile 0.5 released!

Posted by tycho on 2012-11-11

Hello! Today, I'm proud to announce the release of Qtile 0.5. A wildly incomplete changelog is available here. Qtile 0.5 comes more than two years after the release of 0.4. There have been many major improvements and bugfixes by nearly 50 contributors. Many thanks to everyone who was involved, and long live tiling window managers!

A few things to note about these packages. First: they now install a qtile.desktop file, so any compliant freedesktop.org login manager should see qtile as a login option. Note that this just invokes qtile directly with no arguments, so you'll have to put your configs in the standard location. If you want to run a custom .xsession, you'll still need to set that up yourself.

Second, these packages no longer depend on xpyb-ng, but depend on xpyb (1.3.1) directly. I did this for a few reasons. I've had several users report that 1.3.1 works directly for them (i.e. xpyb-ng is not actually required to run qtile). If there is no problem with using the stock implementation, I felt like we should switch to that. Naturally, if problems come up and we need to move back to our fork, I'm happy to rebuild, however, I think that's unlikely.

Third, which hash are these packages based on? They're based on 87dc6924cb, which is on the development branch. I've been running this code both at home and at work for several months now, as well as several other people. While there are still several bugs (patches welcome!), I feel that it's much more stable and user friendly than the master branch.

Fourth, based on some statistics that Launchpad provides, it looks like there were about 100 installs of the Ubuntu PPA. One or two of those were probably my test VMs, but that means there were a fair number of other people who checked qtile out. Very cool!

Feel free to e-mail me or qtile-dev with any feedback! (Unfortunately, I've been inadvertently banned from qtile-dev somehow. Still waiting on a resolution to that, so if you find a bug with the packages, go ahead and just file it on the github tracker and I'll fix it ASAP.)

Viridian/Ampache local control

Posted by tycho on 2012-01-23

Recently at work I've been using Viridan to listen to music at work. It has its warts, but generally works pretty well. There's even an XMLRPC server built in, so you can control it remotely. However, there's not a huge number of clients out there, so I wrote my own little script so that I could start and stop it from a Qtile keybinding, and I thought I'd put it up here for anyone else who is interested. Here's an example session:

Installing Qtile on Ubuntu 11.10 (Oneiric Ocelot)

Posted by tycho on 2012-01-26

Recently, there has been some discussion on qtile-dev about installing the latest and greatest version of qtile. Unfortunately, the install process has historically been a journey into dependency hell, since distributions didn't have the latest versions of some libraries required by qtile. The good news is that this has mostly been fixed (although very few documents anywhere state this), so it's hard to know what to install by hand and what you can use packages for.

To complicate matters more, there are several versions of xpyb floating around, none of which have working build systems! If you knew enough about pkg-config and weren't afraid of manually installing files, you could get everything to work, but it did bar the "normal user" from installing qtile. Hopefully this blog post will clarify a few things.

First, what dependencies do you need to install? Contrary to what the docs say, in 11.10 (and presumably later versions of Ubuntu), you don't need to build your own cairo or xcb. You can simply:

After that, you'll need to install py2cairo. The waf based build doesn't appear to detect xpyb correctly, so you'll need to go the autoconf route. Even with autoconf, the build system is slightly broken, so you'll need to be explicit about what directories to look in for xpyb.h. If you used the above build of xpyb, you can:

If you have any questions or problems, feel free to mail qtile-dev or me directly. I am going to try and package qtile and put it in a PPA, but I doubt I will get to that for another few weeks. This should help anyone who is interested enough to build it in the meantime, though!

Python "binding" for Ampache

Posted by tycho on 2011-12-19

Ahoy!

Just writing a quick post to pimp my new Ampache "bindings", which are called ampyche, naturally ;-). I slapped them together one afternoon mostly to get an understanding of the Ampache API, so that's why I used my native language. I have no specific plans for any python applications using them, but I'm interested in improving the stability of Android-based Ampache clients, as well as adding support for Ampache to Clementine, so I thought this would be a good place to start.

Gmail, Conky, and libnotify

Posted by tycho on 2010-08-01

Several years ago I discovered a fantastic system monitor named conky. Over the years I've been tweaking my .conkyrc and it has really evolved into a little command center all on it's own. However, I read my e-mail through a mutt, and thus to check it I have to open mutt and look and see if I have any new mail. This is often obnoxious, because I'll either forget to check and miss something until later, or I'll check a lot and not get any e-mail. Today it occurred to me "hey, computers are good at repetitive tasks!", so I decided to automatically check my e-mail and render the results in conky. I also have heard lots of noise about libnotify, and how wonderful it is, so I decided to use that as well. The result is a script which checks a user's Gmail (using a password stored in a keyring), updates conky, and shows a libnotify notification if necessary. It also supports querying of arbitrary Gmail labels, allowing you to display unread counts for other e-mail addresses you might possibly have mapped to your Gmail account.

You can get your own copy to play around with if you like. It's fairly well documented, but I'll answer any questions anyone has. The dependencies (at least on Ubuntu) are python-notify python-keyring and your favorite of: python-keyring-gnome or python-keyring-kwallet.

I've released it under a beerware style license, in hopes that someone, somewhere, might find it useful. Feedback is appreciated!

Gmail Atom Feed Authentication

Posted by tycho on 2010-08-03

Perhaps the most complicated part of the application in my recent post was the authentication with Gmail. Although my final method boils down to only a few lines of python, Google describes severaldifferentways to authenticate (additionally, putting the username and password directly in the URL). I didn't like any of these options, as some seemed much too complicated for what I wanted to do, some didn't work, and some were too insecure. However, it turns out that the atom feed supports HTTP's basic access authentication. In python, this is fairly easy to do:

Note that the above also works for Google apps users you just have to stick "/a/example.com" in the appropriate spot in the URL. Hopefully this will help out someone else who is hopelessly bashing Google's servers with failed login attempts ;-)